Cybersecurity: Attacker uses websites’ contact forms to spread BazarLoader malware


Protect Your Access to the Internet

A new social engineering method is spreading this malware, and it’s very easy to fall for. Here’s what it’s doing and how to avoid it.

Image: djedzura/iStock

Everyone in the IT industry should be aware by now that email is the most used vector for cybercriminals to try to infect employees with malware. Yet, when they are first approached via their website’s contact form, things might look different and fully legitimate, raising a false feeling of security. Here’s how this new social engineering method used to spread the infamous BazarLoader malware, and how to protect yourself from it.

What is BazarLoader and how much of a threat is it?

BazarLoader is a stealth and advanced malware that’s used as a first-stage infector. Once a computer is infected by it, it downloads other malware and runs them. BazarLoader is designed to be very stealth, resilient and has been used in the past for campaigns involving several types of malware like TrickBot, Ryuk ransomware and Conti ransomware, to name a few. It is believed to be developed by the Trickbot gang.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

BazarLoader uses the EmerDNS system, which consists of a blockchain on which domain name records are completely decentralized and uncensorable, which is an aspect Emercoin states clearly (Figure A).

Figure A

Image: Emercoin. Emercoin’s description of EmerDNS.
Image: Emercoin. Emercoin’s description of EmerDNS.

This makes the malware very resilient, as no one except the person in possession of the domain’s blockchain private key is able to shut it down.

In addition to being technically very evolved, BazarLoader’s controllers have used innovative ways to spread it and infect users over time. For example, they used emails that contained no links or attached files, pretending to be a company whose free trial service would expire soon and the recipient’s credit card would be charged within a day or two to pay for the subscription. To cancel that payment, the user had to give a phone call to a number that was operated by the fraudsters. They would then provide a link to infect the user. This technique is particularly good for bypassing any threat…